We've deployed a service to Cloud Run which uses Firebase Admin SDK. This service uses multiple auth-related methods. We've found out that if we do not include the GOOGLE_CLOUD_PROJECT
env var, the method setCustomUserClaims(...)
throws following error: Failed to determine project ID for Auth. Initialize the SDK with service account credentials or set project ID as an app option. Alternatively set the GOOGLE_CLOUD_PROJECT environment variable.
However, we've also checked that if the env var is not present, other methods, such as createCustomToken(...)
work just fine. How is this possible? Should we use GOOGLE_CLOUD_PROJECT or not?
CodePudding user response:
createCustomToken
mints and signs its authentication tokens within the SDK.
This is in contrast to setCustomUserClaims
that has to make network calls to do its job, mainly to the endpoint:
https://identitytoolkit.googleapis.com/{version}/projects/{projectId}/accounts:update
As this endpoint uses the Project ID, it needs to be provided from somewhere.
As of the time of writing, it looks for it in these locations, in the following order:
options.projectId
frominitializeApp()
(this is normally filled in byprocess.env.FIREBASE_CONFIG
)options.credential.projectId
frominitializeApp()
, if the credential is aServiceAccountCredential
process.env.GOOGLE_CLOUD_PROJECT
process.env.GCLOUD_PROJECT
options.credential.getProjectId()
frominitializeApp()
, if the credential is aComputeEngineCredential